转义urldecode unescape混乱
[英]escape urldecode unescape confusion
问题描述
I've got a TinyMCE editor - the contents of which need to be uploaded by AJAX. 
我有一个TinyMCE编辑器-其内容需要由AJAX上传。
Obviously because of the AJAX sending the parameters, they need to be escaped via javascripts escape() function, this is so it doesn't break the AJAX parameters. 显然,由于AJAX发送了参数,因此需要通过javascripts escape()函数对其进行转义,这样就不会破坏AJAX参数。 The fields are mysql_real_escape_string 'ed at the PHP side, I only need the escape for the AJAX parameters. 这些字段在PHP端是mysql_real_escape_string ,我只需要对AJAX参数进行转义。
Unfortunately, when I add links and images into the editor and then submit, the URLs to the images and links appear like this: 不幸的是,当我在编辑器中添加链接和图像然后提交时,图像和链接的URL如下所示:
http://localhost:8888/%22../img/miscimages/hwo-american.gif/%22
On the page where the contents are displayed to the user (the product view page), the string from the database is run through urldecode() to get rid of all the %22 and other escaped characters. 在向用户显示内容的页面(产品视图页面)上,来自数据库的字符串通过urldecode()运行,以消除所有%22和其他转义字符。 There is no javascript on this page, it's all generated with PHP, hence the urldecode() and not unescape() . 此页面上没有JavaScript,它们都是用PHP生成的,因此是urldecode()而不是unescape() 。 Is there any way around this? 有没有办法解决?
CODE: 码:
AJAX Send AJAX发送
function update(){
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}else{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
var response = xmlhttp.responseText;
alert(response);
window.location = 'admin-products.php';
}
}
var prodID=document.getElementById("editchoice").value;
var edittitle=escape(document.getElementById("editname").value);
var editcategory=document.getElementById("editcat").value;
var editcontent = escape(tinyMCE.get('editcontent').getContent());
var parameters= "prodID="+prodID+"&title="+edittitle+"&content="+editcontent+"&cat="+editcategory;
xmlhttp.open("POST", "../scr/editProduct.php", true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.send(parameters);
}
PHP Database Insert PHP数据库插入
$prodID = $_POST['prodID'];
$title = urldecode(mysql_escape_string($_POST['title']));
$content = urldecode(mysql_escape_string($_POST['content']));
$category = $_POST['cat'];
echo $prodID . $title . $content . $category;
mysql_query("UPDATE product SET title='$title', content='$content', category_id='$category' WHERE id='$prodID'") or die("ERROR: ".mysql_error());
PHP Display on Page PHP在页面上显示
/* Get Product from Alias */
$alias = $_GET['name'];
$product_selectProd = mysql_query("SELECT * FROM product WHERE alias='$alias'") or die("ERROR: ". mysql_error());
/* Sort Query Vars */
while($product_arrayProd = mysql_fetch_array($product_selectProd)){
$product_category = $product_arrayProd['category_id'];
$product_title = urldecode($product_arrayProd['title']);
$product_text = urldecode($product_arrayProd['content']);
$product_image = $product_arrayProd['main_image'];
$product_sub_image = $product_arrayProd['sub_image'];
/* Build the Product List */
$productDetail .= "<img src='$product_image' width='350' height='240' class='prod_image_left' /><img src='$category_image' width='350' height='240' class='prod_image_right' />";
$productDetail .= "<p> </p><h1>Fiddes $product_title</h1><hr />";
$productDetail .= "$product_text";
}
3 个解决方案
解决方案1
3 2011-03-03 10:25:46
From MDC: https://developer.mozilla.org/en/Core_JavaScript_1.5_Guide/Functions#escape_and_unescape_Functions 从MDC: https : //developer.mozilla.org/en/Core_JavaScript_1.5_Guide/Functions#escape_and_unescape_Functions
The escape and unescape functions do not work properly for non-ASCII characters and have been deprecated.
So don't use escape, it's deprecated :) 所以不要使用转义,它已被弃用:)
解决方案2
1 2011-03-03 10:40:54
just a note on your database insert. 只是关于数据库插入的注释。
you shouldn't use urldecode for the database insert.
您不应将urldecode用于数据库插入。 urlancodes has nothing to do with databases. urlancodes与数据库无关。 for the insert only database-related functions should be used. 对于插入操作,应仅使用与数据库相关的功能。
Do it somewhere else, not a the time when data being inserted to database.在其他地方执行此操作,而不是在将数据插入数据库时执行。 mysql_real_escape_string should be the very last thing applied to the data before insert. mysql_real_escape_string应该是插入之前应用于数据的最后一件事 。 Or you broke everything (as you do at the moment) 或者您破坏了一切(如您目前所做的那样) a minor issue.
一个小问题。 it's slightly better to use mysql_real_escape_string instead of mysql_escape_string. 最好使用mysql_real_escape_string而不是mysql_escape_string。 For some odd encodings it will cover your backs. 对于某些奇怪的编码,它会遮住您的后背。 Most terrible thing.
最可怕的事情。 You're not sanitizing numbers. 您没有在清理数字。 So, your code is open to sql injection attack. 因此,您的代码对sql注入攻击开放。 You have to either 你必须 - escape it the same way as strings, as you already quoting it 就像引用字符串一样,将其转义
- or cast it to prober type, using intval() function for example 或将其强制转换为探针类型,例如使用intval()函数
- or get rid of all escaping quoting and casting and use prepared statements to bind variables. 或摆脱所有转义的引号和强制转换,并使用准备好的语句来绑定变量。 (it will require major code changes) (这将需要重大代码更改)
- escape it the same way as strings, as you already quoting it
Same for alias variable and, I suppose, all other dynamic queries in your site. 别名变量以及您网站中的所有其他动态查询都相同。 You ought to fix it as soon as possible. 您应该尽快修复它。
解决方案3
1 已采纳 2011-03-03 13:42:25
似乎答案就在TinyMCE上,我是mysql_real_escape_string字符串,但是TinyMCE默认情况下已经为您做到了,因此当php对这些字符进行转义时,它仅转义了一个实例,而不是转义了所有实例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.